Send Threat Intelligence to the People Who Need It.
Mailroom is the Liberty91 feature for dispatching threat intelligence packages (reports, IOCs, Sigma detection rules, and STIX bundles) to the stakeholders who act on them. Every dispatch is captured in an auditable Sent log, across every organisation in your account.
Start Free Trial
One dashboard. Every dispatch. Filterable per organisation, with the full Sent log underneath.
The Problem.
Threat intelligence only reduces risk if it reaches the person who can act on it. Today, that handover is usually a PDF forwarded by email, a Slack message with an IOC list, a STIX bundle uploaded somewhere and hoped for. No record of what was sent, in what format, to which stakeholder, on what day.
For MSSPs and security teams covering multiple organisations, the problem multiplies. Every customer expects intelligence in the formats their tooling consumes. Every CISO wants evidence that the work happened. Every analyst wants their report to land in the right inbox, not in a generic shared folder.
Dissemination is the last mile of the CTI lifecycle, and it has been the least-tooled. Mailroom closes it.
How Dispatch Works.
Compose the Package
Assemble what the stakeholder needs from inside Liberty91: a written report, an IOC list, Sigma detection rules, a STIX 2.1 bundle, or any combination. Every artefact is generated from the same agent-curated intelligence so there is no copy-paste between tools.
Pick Who Receives It
Address the package to the role-based inboxes that act on intelligence: SOC, CISO, IR team, security lead, customer-side contacts. Mailroom keeps the recipient list per organisation so MSSPs can dispatch the right view to each client without manual address-book work.
Send and Keep the Record
Mailroom dispatches the package and writes a row to the Sent log capturing what was sent, to whom, in which organisation, at what time, and of what kind. The log becomes the evidence trail you bring to a QBR, a board update, or an audit.
What You Can Send.
Four content types. Three dispatch kinds. Every recipient gets intelligence in the format their tooling expects.
Reports
Written threat intelligence reports (assessments, briefings, RFI responses, daily summaries) produced by the platform and ready to send.
IOCs
Structured indicator lists (IPs, domains, hashes, URLs) extracted from incoming events, ready to load into a SIEM, EDR, or TIP.
Detection rules
Sigma rules tied to specific MITRE ATT&CK techniques, ready for the SOC to deploy into their detection stack.
STIX bundles
STIX 2.1 bundles for direct ingestion into MISP, OpenCTI, or any TAXII-aware sharing community.
Dispatch kind
Package
An ad-hoc dispatch. Pick a report, attach the IOCs and detection rules, send to the right stakeholder. The headline use case.
Dispatch kind
Morning Report
The personalised daily summary, routed through Mailroom so the existing morning brief contributes to the same audit trail as everything else.
Dispatch kind
Alert
Time-sensitive dispatches when a threat event crosses an Intelligence Requirement's threshold. Same auditable record, faster route to the inbox that acts on it.
Multi-tenant by default.
Mailroom's organisation filter lets you look at a single customer's dispatch history or aggregate the entire book at once. Recipient lists are scoped per customer organisation, so the SOC at ACME Aviation gets ACME Aviation's intelligence, and the Sent log gives you the evidence trail to bring to a QBR or renewal conversation.
The Sent log.
Every dispatch is recorded. The Sent log captures the timestamp, the kind (Package, Morning Report, Alert), the recipient, the organisation, and the title of the artefact. Filter by date range or organisation to pull the slice you need for a board update, an audit, or an internal handover.
Example row
On May 14, 2026 Mailroom dispatched a Package titled BlackCat/ALPHV tactics against telecom operators to ciso@acmetelecom.example.com on behalf of the ACME Telecom organisation.
That row stays in the log. When the CISO asks at next quarter's review what intelligence was shared on telecom threats in May, the answer is on screen.
Compatible with the tooling your stakeholders already use.
STIX 2.1 and MISP-ready
STIX bundles are dispatched as standards-compliant 2.1 JSON, ready for ingestion into MISP, OpenCTI, or any TAXII-aware community. No format wrangling on the recipient side.
Sigma rules mapped to MITRE ATT&CK
Detection rules are dispatched in Sigma format with the MITRE ATT&CK technique each one is built against, so the receiving SOC can wire them straight into their detection stack and review coverage.
IOC lists ready for the SIEM
Indicator lists are structured for direct ingestion into SIEMs, EDRs, and TIPs, with the indicator type (IP, domain, hash, URL) and supporting context attached.
Written reports for human stakeholders
CISO briefings, RFI responses, and daily summaries are dispatched as readable reports. That is the format your board, your IR team, and your customers actually want.
Where Mailroom fits in the lifecycle.
Collection. Processing. Analysis. Dissemination. The CTI lifecycle has always had four working phases and one chronically under-tooled one. Liberty91's agents already cover the first three across hundreds of sources, your Intelligence Requirements keep the analytical context current, and Document Upload grounds each organisation's profile in the documents you already have.
Mailroom is the dissemination layer. It turns every artefact the platform produces into a dispatched, auditable handover to the stakeholder who acts on it.
Frequently Asked Questions.
Ready to do more with less?
Request a demo or start your free trial today. Get instant access to AI-powered threat intelligence tailored to your organisation.